nach oben

Erschienen in:

2012 | OriginalPaper | Buchkapitel

5. A Security Model for Virtual Healthcare Communities

verfasst von : Anargyros Chryssanthou, Iraklis Varlamis, Charikleia Latsiou

Erschienen in: Virtual Communities, Social Networks and Collaboration

Verlag: Springer New York

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Virtual healthcare communities aim in bringing together healthcare professionals and patients in order to further improve the quality of healthcare services and assist healthcare professionals and researchers in their everyday activities. Patient monitoring and medical consultation – the two most popular activities inside virtual healthcare communities – require members’ collaboration in a secure and reliable environment. In this environment, patients share their medical data with doctors, expect confidentiality, and demand reliable medical consultation. Apart from a concrete policy framework, several ethical, legal, and technical issues must be considered in order to build a trustful community. This work presents the architecture of a virtual healthcare community portal, giving emphasis on the security issues that arise when attempting to manage risk inside such a community. Following a standardized risk assessment process, which identifies, estimates, and evaluates all potential security risks for the community, a security model is developed, and the community architecture is designed. Finally, a set of usage scenarios, with reference to real events, is employed in order to uncover security risks and illustrate the solutions provided by the proposed architecture.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Organizational Design of Online Communities

Nächstes Kapitel Cybernationalism: Terrorism, Political Activism, and National Identity Creation in Virtual Communities and Social Media

The administrators of the community could be physical entities (persons) or legal entities, in terms of an authority which supervises the community. A hospital could be the authority in question.

A complete list of security controls that are applicable to any kind of organization structure can be found in ISO 27001:2005 (Annex A) and in ISO 27002:2005.

The term data controller is analyzed in detail in Opinion 1/2010 of Article 29 Working Party [3] (Working Party that was set up under Article 29 of EU Data Protection Directive) on the concepts of “controller” and “processor.” This opinion is available on http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2010_en.htm (Last accessed on June 4, 2010). According to Article 2 paragraph d’ of the EU Data Protection Directive, the term “data controller” “shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” The same definition for the term “data controller” is given in ISO 22857:2004 (Terms and Definitions, paragraph 3.3).

DataLoss database report of incident 224 [cited June 4, 2010]. Available from http://datalossdb.org/incidents/224-hacker-gains-opportunity-to-view-patient-medical-records

DataLoss database report of incident 2143 [cited June 4, 2010]. Available from http://datalossdb.org/incidents/2143-employee-steals-patients-medical-records-for-counterfeiter

DataLoss database report of incident 1935 [cited June 4, 2010]. Available from http://datalossdb.org/incidents/1935-laptop-containing-the-personal-details-of-about-200-cancer-patients-stolen

First live SiteKey exploit seen in operation (30/10/2007) [cited June 4, 2010]. Available from http://cr-labs.com/publications/SiteKeyExploit-20071030%131.pdf

Former Hacker Tackles IVR and Voice Biometric Security [cited June 4, 2010]. Available from http://www.speechtechmag.com/Articles/Editorial/FYI/Former-Hacker-Tackles-IVR-and-Voice-Biometric-Security-50358.aspx

DataLoss database report of incident 2174 [cited June 4, 2010]. Available from http://datalossdb.org/incidents/2174-personal-health-information-of-11%13582-stolen-by-virus

Akyildiz, I. F., Su, W., Sankarasubramaniam, Y., & Cayirci, E. (2002). Wireless sensor networks: A survey. Computer Networks, 38(4), 393–422.CrossRef

Apostolakis, I., Chryssanthou, A., & Varlamis, I. (2009). A holistic perspective of security in health related virtual communities. In A. Lazakidou & K. Siassiakos (Eds.), Handbook of research on distributed medical informatics and E-health (pp. 367–381). Hershey, PA: IGI Global.

Article 29 Data Protection Working Party. (2010, February). Opinion 1/2010 on the concepts of “controller” and “processor”. Brussels, Belgium.

Becker, M. Y., Fournet, C., & Gordon, A. D. (2007, July 6–8). Design and semantics of a decentralized authorization language. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF 07), Venice, Italy (pp. 3–15). Washington, DC: IEEE Computer Society.

Becker, M. Y., & Sewell, P. (2004, June 28–30). Cassandra: Flexible trust management applied to electronic health records. In Proceedings of the 17th IEEE Workshop on Computer Security Foundations; Asilomar Conference Center, CA, USA, 2004 (pp. 139–154). Washington, DC: IEEE.

Blaze, M., Kannan, S., Lee, I., Sokolsky, O., Smith, J. M., Keromytis, A. D., et al. (2009, February). Dynamic trust management. IEEE Computer Magazine, 42(2), 44–52.

Chryssanthou, A., Latsiou, C., & Varlamis, I. (2009, June 9–13). Security and trust in virtual healthcare communities. In Proceedings of the 2nd International Conference on Pervasive Technologies Related to Assistive Environments (PETRA 09), Corfu, Greece (pp. 1–8). New York: ACM Press.

Curtis, D. W., Pino, E. J., Bailey, J. M., Shih, E. I., Waterman, J., Vinterbo, S. A., et al. (2008). SMART – An integrated, wireless system for monitoring unattended patients. Journal of the American Medical Informatics Association, 15(1), 44–53.CrossRef

Cyberinsecure.com. (2008, July 18). Asprox botnet mass attack hits governmental, healthcare, and top business websites [cited 2010 June 4]. Retrieved July 30, 2010, from http://cyberinsecure.com/asprox-botnet-mass-attack-hits-governmental-healthcare-and-top-business-websites/

10.

DataLoss Database. (2010, June). Open security foundation; c2005–2010. Available from http://datalossdb.org

11.

Demiris, G. (2005). Virtual communities in health care. In B. Silverman, A. Jain, A. Ichalkaranje, & L. Jain (Eds.), Intelligent paradigms for healthcare enterprises (Germany-studies in fuzziness and soft computing, Vol. 184, pp. 121–137). Berlin/Heidelberg: Springer.CrossRef

12.

Demiris, G., Parker, O. D., Fleming, D., & Edison, K. (2004). Hospice staff attitudes towards telehospice. The American Journal of Hospice & Palliative Care, 21(5), 343–348.CrossRef

13.

Dixon P (2006, March 3). Medical identity theft: The information crime that can kill you [cited 2010 January 4]. The World Privacy Forum. First report in a series [Internet]. Cardiff by the Sea, CA, USA: World Privacy Forum. Retrieved May 22, 2011, from http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf

14.

Ebner, W., Leimeister, J. M., & Krcmar, H. (2004, January 5–8). Trust in virtual healthcare communities: Design and implementation of trust-enabling functionalities. In Proceedings of the 37th Hawaii International Conference on System Sciences (HICSS 04) – Track 7, Big Island, Hawaii (p. 70182). Washington, DC: IEEE.

15.

European Council. (1995). Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities, 38(281), 31.

16.

European Council. (1997). Explanatory memorandum to recommendation (97) 5 on the protection of medical data. Strasbourg, France: Council of Europe.

17.

Federal Trade Commission. (2000). Identity Theft Victim Assistance Workshop. Washington, DC: Federal Trade Commission; c2000–2010 [cited 2010 June 4]. Retrieved June 4, 2011, from http://www.ftc.gov/bcp/workshops/idtheft/

18.

Hitrustalliance.net. (2009). Frisco, TX: Health Information Trust Alliance [updated 2010; cited 2010 June 4]. Available from https://www.hitrustcentral.net/

19.

ISO/CD. (2005). ISO/CD 22857:2004: Health informatics – Guidelines on data protection to facilitate trans-border flows of personal health information. Geneva, Switzerland: ISO/CD.

20.

ISO/IEC. (2005). ISO/IEC 27001:2005: Information technology – Security techniques – Information security management systems – Requirements. Geneva, Switzerland: ISO/IEC.

21.

ISO/IEC. (2005). ISO/IEC 27002:2005: Information technology – Security techniques – Code of practice for information security management. Geneva, Switzerland: ISO/IEC.

22.

ISO/IEC. (2008). ISO/IEC 27005:2008: Information technology – Security techniques – Information security risk management. Geneva, Switzerland: ISO/IEC.

23.

ISO/IEC. (2008). ISO/IEC 27799:2008: Health informatics –Information security management in health using ISO/IEC 27002. Geneva, Switzerland: ISO/IEC.

24.

Jones, V. M., van Halteren, A. T., Dokovski, N. T., Koprinkov, G., Peuscher, J., Bults, R., et al. (2006). Mobihealth: Mobile services for health professionals. In R. S. H. Istepanian, S. Laxminarayan, & C. S. Pattichis (Eds.), M-health emerging mobile health systems (pp. 237–246). New York: Springer.

25.

Kaplan, D. (2009, March 2). Group unveils first-of-its-kind standard to secure patient data. SC Magazine, NEWS. Retrieved March 4, 2009, from http://www.scmagazineus.com/group-unveils-first-of-its-kind-standard-to-secure-patient-data/article/128168/

26.

Kui, M., Yue, W., Xu, Z., Xiaochun, X., & Gengdu, Z. (2005, September 21–23). A trust management model for virtual communities. In Proceedings of the 5th International Conference on Computer and Information Technology (CIT 05), Shanghai, China (pp. 741–745). Washington, DC: IEEE.

27.

Kyriacou, E., Pavlopoulos, S., Berler, A., Neophytou, M., Bourka, A., & Georgoulas, A. (2003). Multipurpose health care telemedicine systems with mobile communication link support. Biomedical Engineering Online, 2, 7.CrossRef

28.

Laleci, G. B., Dogac, A., Olduz, M., Tasyurt, I., Yuksel, M., & Okcan, A. (2008). SAPHIRE: A multi-agent system for remote healthcare monitoring through computerized clinical guidelines. In R. Annicchiarico, U. Cortés, & C. Urdiales (Eds.), Agent technology and e-health (Whitestein series in software agent technologies and autonomic computing, pp. 25–44). Basel, Switzerland: Birkhäuser.CrossRef

29.

Law 2472/1997: Protection of individuals from personal data processing, Pub. L. No. 2472, Greece (1997).

30.

Law 3418/2005: Medical code of deontology, Pub. L. No. 3418, Greece (2005).

31.

Law 3471/2006: Protection of personal data and privacy in the telecommunications sector – Amendment of Law 2472/1997, Pub. L. No 3471, Greece (2006).

32.

Lorincz, K., Malan, D. J., Fulford-Jones, T. R. F., Nawoj, A., Clavel, A., Shnayder, V., et al. (2004). Sensor networks for emergency response: Challenges and opportunities. IEEE Pervasive Computing, 3(4), 16–23.CrossRef

33.

Maji, A. K., Mukhoty, A., Majumdar, A. K., Mukhopadhyay, J., Sural, S., Paul, S., et al. (2008, January 29). Security analysis and implementation of web-based telemedicine services with a four-tier-architecture. Proceedings of the 2nd International Workshop on Connectivity, Mobility and Patients’ Comfort (CMPC), Tampere, Finland (pp. 46–54). New York: ACM.

34.

McClure, S., Scambray, J., & Kurtz, G. (2003). Hacking exposed: Network security secrets and solutions (4th ed.). Berkeley, CA: McGraw-Hill/Osborne.

35.

Mondy, J., & Torresi, M. (2008). CIGNA creating a virtual health care community. CIGNA website, News Releases. Retrieved June 4, 2010, from http://newsroom.cigna.com/article_display.cfm?article_id=925

36.

Mufti, M., Agouridis, D., Din, S., & Mukhtar, A. (2009, June 9–13). Ubiquitous wireless infrastructure for elderly care. In Proceedings of the 2nd International Conference on Pervasive Technologies Related to Assistive Environments (PETRA 09), Corfu, Greece (pp. 1–5). New York: ACM Press.

37.

Ng, H. S., Sim, M. L., & Tan, C. M. (2006). Security issues of wireless sensor networks in healthcare applications. BT Technology Journal, 24(2), 138–144.CrossRef

38.

Orrin, S. (2004). The twelve most common application level hack attacks. Watchfire Corporation Whitepaper. Retrieved June 4, 2010, from http://www.emedia.co.uk/FM/GetFile.aspx?id=58740

39.

Parducci, B., Lockhart, H., Levinson, R., & McRae, M. (2005). eXtensible Access Control Markup Language (XACML) Version 2.0 core specification. Billerica, MA: OASIS. Retrieved from www.oasis-open.org/committees/xacml/

40.

Raywood, D. (2009, May 6). Social engineering attack allowed consultant to access company’s data room and steal passwords. SC Magazine, NEWS. Retrieved June 4, 2010, from http://www.scmagazineuk.com/Social-engineering-attack-allowed-consultant-to-access-companys-data-room-and-steal-passwords/article/136278

41.

RFC2267 – Network ingress filtering. Defeating denial of service attacks which employ IP source address spoofing. (2010). Available from Internet Engineering Task Force website. Retrieved January 2, 2004, from http://www.ietf.org/rfc/rfc2267.txt

42.

RFC3882 – Configuring BGP to block denial-of-service attacks. (2010). Available from Internet Engineering Task Force website. Fremont, CA. Retrieved June 4, 2010, from http://www.ietf.org/rfc/rfc3882.txt

43.

Schopp, L. H., Hales, J. W., Quetsch, J. L., Hauan, M. J., & Brown, G. D. (2004). Design of a peer-to-peer telerehabilitation model. Telemedicine Journal and e-Health, 10(2), 243–251.CrossRef

44.

Seamons, K., Winslett, M., Yu, T., Yu, L., & Jarvis, R. (2003). Protecting privacy during on-line trust negotiation. In R. Dingledine & P. Syverson (Eds.), LNCS 2482: Proceedings of the 2nd Workshop on Privacy Enhancing Technologies (PET 2002), April 14–15, 2002, San Francisco, USA (pp. 129–143). Berlin: Springer.

45.

Stanberry, B. (1998). The legal and ethical aspects of telemedicine: Data protection, security and European law. Journal of Telemedicine and Telecare, 4(1), 18–24.CrossRef

46.

Stefanov, H., Bien, Z., & Won-Chul, B. (2004). The smart house for older persons and persons with physical disabilities: Structure, technology arrangements, and perspectives. IEEE Transactions on Neural Systems and Rehabilitation Engineering, 12(2), 228–250.CrossRef

47.

U.S. Congress. (1996) Health Insurance Portability and Accountability Act, USA. Pub. L No. 104-191, 110 Stat. 1936.

48.

US Department of Health and Human Services, Office for Civil Rights. (2003). Standards for privacy of individually identifiable health information. Washington, DC: US Department of Health and Human Services.

49.

Varlamis, I., & Apostolakis, I. (2010). Self-supportive virtual communities. International Journal on Web Based Communities, 6(1), 43–61. doi:10.1504/IJWBC.2010.030016.CrossRef

50.

Vlachos, V., Spinellis, D., & Androutsellis-Theotokis, S. (2009, September 23–25). Biological aspects of computer virology. In A. P. Sideridis & C. Z. Patrikakis (Eds.), Proceedings of the 3rd International Conference on e-Democracy, Athens, Greece (pp. 202–219). Berlin: Springer.

51.

Wang, X., Lao, G., DeMartini, T., Reddy, H., Nguyen, M., & Valenzuela, E. (2002, November 22). XrML – eXtensible rights markup language. In Proceedings of ACM Workshop on XML Security (XMLSEC ‘02); Fairfax, VA (pp. 71–79). New York: ACM.

52.

Warren, S., Lebak, J., Yao, J., Creekmore, J., Milenkovic, A., & Jovanov, E. (2005, September 1–4). Interoperability and security in wireless body area network infrastructures. In Proceedings of the 27th Annual International Conference of Engineering in Medicine and Biology Society (IEEE-EMBS), Shanghai, China, 4, 3837–3840.

Titel: A Security Model for Virtual Healthcare Communities
verfasst von: Anargyros Chryssanthou
Iraklis Varlamis
Charikleia Latsiou
Verlag: Springer New York
Buch: Virtual Communities, Social Networks and Collaboration
Print ISBN: 978-1-4614-3633-1

Electronic ISBN: 978-1-4614-3634-8

Copyright-Jahr: 2012
DOI: https://doi.org/10.1007/978-1-4614-3634-8_5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"